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Executive Summary 


e Cloudflare was built to help you and your end users 
be more secure on the Internet. We are a privacy-first 
company, and our network and all of our products are 
built with data protection in mind. 


e Cloudflare maintains a broad set of legal and 
contractual protections that comply with the 
Australia’s Privacy Act and the 13 Australian Privacy 
Principles (APPs) 


e Cloudflare offers product features and technical | 
protections for Cloudflare customers who do not want | 
their data to leave Australia. 
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Cloudflare’s unique global cloud network consists of data centers in over 275 cities across more than 100 countries. 
Cloudflare provides you with tools to manage how your data is routed through these data centers so you can 
customize where your traffic is inspected in ways that meet your security, privacy, and performance needs. 


About Cloudflare 


Cloudflare’s mission is to help build a better Internet. We provide a global cloud platform that 
delivers a broad range of network services to individuals and businesses of all sizes around 
the world. Cloudflare’s network and growing portfolio of products improve the security, 
privacy, performance, and reliability of anything that is connected to the Internet. In addition 
to serving our customers, Cloudflare’s mission is also to help make the Internet itself better 
— always on, always fast, always secure, always private, and available to everyone. 


Cloudflare’s network, developer community, and business are all ultimately built on customer 
trust. We seek to continually earn and maintain customer trust by being clear about our 
commitments to data privacy and how we manage customer and end user data on our 
systems. We also build trust by building and deploying products that (i) help improve the 
security of our systems, (ii) encrypt data at rest or in transit, and (iii) allow our customers 

to determine how traffic is inspected in different locations around the world. Finally, we 

earn customer trust by securing and maintaining industry-defined certifications (e.g. ISO 
27001 and 27701, SSAE 18, and SOC 2 Type Il) and providing contracting mechanisms (e.g. 
Data Processing Agreements) that communicate our shared responsibility model with our 
customers in ensuring privacy. 
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Cloudflare in Australia 


Today, millions of global Internet properties use Cloudflare. This list includes many 
organizations in Australia, including established enterprises like Blackmores, fast-growing 
companies like Canva and Neto (recently acquired by Maropost), and public institutions like 
the University of Western Australia, VicRoads, and the Asia Pacific Network Information 
Centre. As companies and organizations of all sizes rely more on the Internet as a critical 
platform to serve their customers, users, and stakeholders, they are rapidly adopting 
secure and reliable cloud networks like Cloudflare to help protect their Internet-facing 
applications, infrastructure, and people from threats of all kinds. 


We recognize that data protection in Australia presents unique challenges. Australia has a 
comprehensive privacy regulation in the form of the Australia Privacy Act (Privacy Act) and 
the 13 Australian Privacy Principles (APPs). In addition, the Australian Prudential Regulation 
Authority sets out Prudential Standards applicable to financial data that third-party service 
providers need to acknowledge. Several regulations govern the privacy of personal health 
information (e.g., the Health Records and Information Privacy Act 2002 (NSW), the Health 
Records Act 2001 (Vic), and National Health Act). 


Cloudflare’s Internet platform is built to support Australia’s most privacy-conscious and 
regulated industries, including financial services, the public sector, retail, and healthcare. 
At Cloudflare, we build our products to meet the highest standards of security and user 
privacy, and we partner closely with each of our Australian customers to help them meet 
data protection obligations associated with their specific location and industry segment. 
We accomplish this through a variety of avenues, including: 


e Our overarching corporate commitment to privacy 
e Maintaining global security and privacy certifications 
e Maintaining the 13 APPs’ compliant data transfer mechanisms 


e Offering product features which support data localisation 


This paper explains those avenues in detail. 


Cloudflare’s unique corporate commitment to privacy 


Cloudflare was built to help you and your customers be more secure on the Internet. We 
are a privacy-first company, and our network and all of our products are built with data 
protection in mind. We commit in our Privacy Policy that we will not sell personal data we 
process on your behalf or use it for any purpose other than to provide our services to you. 
Throughout our history, we’ve never violated this promise. In fact, our privacy stance was 
defined long before governments started regulating privacy in ways that forced mzany 
other technology companies to update their practices in order to appropriately prioritize 
customer and user privacy. We do not generate revenue from advertising — or profile our 
customers’ end users or end-user data for any purpose — and thus default against the 
collection and retention of personal data we process on your behalf. 
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Below are some of the privacy commitments we make that differentiate us from many 
other cloud services providers: 


e Cloudflare does not sell personal data. 
e Cloudflare does not track our customers’ end users across Internet properties. 
e Cloudflare does not profile our customers’ end users to sell advertisements. 


e Cloudflare only retains personal data as necessary to provide Cloudflare offerings 
to our customers. 


e Cloudflare has never provided to any third party or government our customers’ 
encryption keys or a feed of customer content transiting our network, and we have a 
longstanding commitment that we would exhaust all legal remedies before complying 
with 
such a request. 


e Cloudflare has publicly committed that we will pursue legal remedies to contest any U.S. 
government request for data that we identify as being subject to data protection laws 
that may create a conflict of interest. 


e Cloudflare’s policy is to notify our customers of any legal process requesting their 
information before disclosure of that information, unless legally prohibited. 


Cloudflare’s global security certifications 


Cloudflare meets industry-leading standards for security and privacy, and validates those 
commitments with third party auditors on an annual basis. 


Cloudflare has been certified to a new international privacy standard for protecting and 
managing the processing of personal data — ISO/IEC 27701:2019. This standard is less 
than two years old, and adapts the existing Information Security Management System 
concept into the creation of a Privacy Information Management System (PIMS). There 

are requirements to make sure this privacy management system is robust and is also 
continually improving to meet its defined objectives. The standard is designed such that 
the requirements organizations must meet to become certified are very closely aligned to 
the requirements in Europe’s General Data Protection Regulation (GDPR). 


Put simply, the ISO 27701 certification provides assurance to our customers that we have a 
privacy program that has been assessed by a third party to meet an international industry 
standard aligned to one of the most comprehensive data protection regimes worldwide, 
and that requires us to keep our privacy program under continuous compliance. This 
certification, in addition to the Data Processing Addendum (DPA) we make available to 

our customers in the dashboard, offers our customers multiple layers of assurance that 
any personal data that Cloudflare processes will be handled in a way that meets the 
comprehensive data protection requirements, including those set out by the Privacy 

Act and APPs. 
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In addition, Cloudflare is compliant with ISO 27001/27002, Payment Card Industry Data 
Security Standards (PCI DSS), and SSAE 18 SOC 2 Type Il. These validations provide 
assurance to organizations who transfer their most sensitive data through our services, 
and also help them meet and maintain their own compliance obligations. 


Because we care about data protection, we do not just audit where we are required to 

do so by law or where certifications are available. Our security team performs rigorous 
internal and external penetration tests, we operate a bug bounty program through 
HackerOne, and we retain third-party auditors to validate our privacy commitments. 
Examples include our privacy-focused audits, like one we conducted in relation to our 
commitments for our 1.1.1.1 public DNS resolver. We are always open to obtaining additional 
validations that will provide assurance into our privacy program, policies, and practices for 
processing and storing personal data. 


The data Cloudflare processes 


Cloudflare processes the log data of our customers’ end users when those end users 
access our services in line with our customers’ authorization. This log data may include 
but is not limited to IP addresses, system configuration information, and other information 
about traffic to and from our customers’ websites, devices, applications, and/or networks. 
In addition, Cloudflare collects and stores server and network activity data and logs in the 
course of operating our products, and makes observations and analysis of traffic data. 
Our Privacy Policy more specifically describes the information we collect and how we use 
collected information. 


When we do collect and store data from activity on our network, we do so only to make our 
products better for you, for our other customers, or for the broader Internet community. 
We do not seek to monetize this data in any way we think would surprise you. For example, 
we may temporarily store and analyze network traffic data from all of our global customers 
so that we can intelligently route requests through the most efficient Internet paths. 

We may also store and analyze network data to detect and identify emerging threat 
vectors we can immediately use to improve our security tools. Finally, we may aggregate 
network data from significantly large customer segments (but never from individually 
identifiable users or customers) to help the Internet community understand trends and 
threats across the Internet (see Cloudflare Radar). 


Cloudflare | Data Protection and Locality Obligations in Australia 


Cloudflare’s data transfer mechanisms 


In the event that Cloudflare, as a data processor, transfers personal data outside Australia, 
we do so under our standard DPA, which is incorporated into our Enterprise Service 
Agreement as well as our Self Serve Subscription Agreement. Our DPA is considered a 
reasonable step by the Office of the Australian Information Commissioner (“OAIC”) to 
legitimize cross-border transfers, according to the 13 APPs. You can find more information 
about our commitment to the APPs and about our DPA here. Importantly, in our DPA we 
commit that we will pursue legal remedies to contest any U.S. government request for data 
that we identify as being subject to the laws of another jurisdiction, such as Australia, and 
we commit to notifying our customers of any legal process requesting their information 
before disclosure of that information, unless legally prohibited. You can view the additional 
safeguards we have added as contractual commitments in section 7 of our DPA. 


Data protection regulations and guidelines are ever-evolving, and we closely monitor 
the regulatory and legislative landscape. We continually look ahead at emerging 
guidance to ensure that our customers and partners can continue to enjoy the benefits 
of Cloudflare in Australia. 


For customers who need to ensure that Cloudflare is not transferring any personal data, 
we offer a set of technical measures known as the Data Localization Suite. 


Cloudflare product features designed to support 
data localisation 


Cloudflare is committed to helping our customers keep personal data in Australia. We offer 
a Data Localization Suite, which gives customers control over where their data is inspected 
and stored. 


Our Data Localization Suite has the following elements: 


e Encryption Key Management (Geo Key Manager and Keyless SSL) 


e Payload Inspection Boundary (Regional Services) 
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Encryption Key Management: 


Data privacy is not possible without Internet security, which is provided in large part by 
effective encryption. 


Encryption of data transmitted over a network requires the use of encryption keys, or sets 
of mathematical values that both the sender and the recipient of an encrypted message 
know. SSL/TLS, a cryptographic protocol which makes encrypted communication possible, 
uses a pair of keys — a public key and a private key. Cloudflare customers may choose to 
use two features to ensure that their private keys do not leave Australia: 


e Keyless SSL allows customers to store and manage their own private keys for use 
with Cloudflare. Customers can use a variety of systems for their keystore, including 
hardware security modules (“HSMs”), virtual servers, and hardware running Unix/Linux 
and Windows housed in environments customers control. Keyless SSL is only keyless 
from Cloudflare’s point of view: Cloudflare never sees the customer’s private key, but 
the customer still has and uses it. Meanwhile, the public key is still used on the client 
side like normal. 


e Geo Key Manager provides customers with granular control over the data centers in 
which their private keys are stored. For example, a customer can choose for the private 
keys to only be accessible inside data centers located in Australia. This approach frees 
customers from the complexity of deploying Keyless SSL and maintaining their own 
keystore. 


Payload Inspection Boundary: 


Cloudflare offers the most secure and highest performance network-as-a-service products 
because we proxy all of your traffic from the edge of our network. As an authorized proxy 
of your traffic, our services securely inspect your traffic to identify security threats and 
route it from any location across our global network. Cloudflare is one of the only cloud 
providers architected as a unified global platform that can also be configured to serve 
specific regional requirements. This architecture gives Cloudflare customers complete 
control over where and how traffic is inspected. 


Cloudflare’s Regional Services lets customers choose where in the Cloudflare network 
their TLS connections are terminated. For example, a customer could choose to have said 
connections terminate in Australia, so decryption and inspection of the content of HTTPS 
traffic happens only inside Australia. This restriction applies to all of our edge “application 
services,” including: 

e Storing and retrieving content from cache 

e Blocking malicious HTTP payloads with the Web Application Firewall (WAF) 

e Detecting and blocking suspicious activity with Bot Management 


e Running Workers scripts 
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In practice, when a Cloudflare customer enables Regional Services, their end-user clients 
will connect to the nearest Cloudflare location anywhere in the world, but if that location 
is outside Australia, the traffic is passed to a Cloudflare Australian location before it 

is inspected. The customer still receives the benefit of our global, low-latency, high- 
throughput network, which is capable of withstanding even the largest DDoS attacks. 


However, Regional Services also gives customers local control. Only data centers inside 
Australia will have the access necessary to apply security policies. This approach allows 
Cloudflare to select the fastest route to Australia and the closest available point of 
presence for processing. 
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Shared opportunities and responsibilities 


Because we know Australian organizations need to integrate privacy and security 
principles into every aspect of their business, we have prepared this chart to make it easy 
to understand who is responsible for these commonly requested privacy requirements: 


Principle 


Data protection 
by design 


Responsibility 


Shared 


Responsibility Details 


Cloudflare is responsible for delivering products and services with 
privacy in mind. The privacy team provides reviews, assessments, and 
training to ensure that privacy is instilled in the way we work. 


Customers are responsible for their usage and configuration of their 
Cloudflare services, and should periodically review their use and 
configuration of these services to validate that data protection principles 
have been considered in the design and implementation. 
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Subject access 
request 


Shared 


Cloudflare provides data subjects with the right of access, correction, 
and deletion of personal information regardless of their jurisdiction of 
residence. Data subject requests may be sent to sar@cloudflare.com. 


If we receive a request from someone who appears to be an end user of 
one of our customers, we will direct that person to contact our customer 
directly. 


Adequate 
security 


Shared 


Cloudflare maintains a security program in accordance with industry 
standards. The security program includes maintaining formal security 
policies and procedures, establishing proper logical and physical access 
controls, implementing technical safeguards in corporate and production 
environments (including establishing secure configurations, secure 
transmission and connections, logging, and monitoring), and having 
adequate encryption technologies for personal data. 


Customers are responsible for reviewing the security posture of 

their cloud providers like Cloudflare, and can do so by reviewing our 
compliance validations and reports. We also encourage our customers to 
review their Dashboard security settings to ensure they adhere to their 
security policies 

and procedures. 


Personal data 
breaches 


Shared 


Cloudflare will notify customers as soon as we become aware of any 
breach of security leading to the loss, unauthorized disclosure of, or 
access to, personal data processed by Cloudflare or its sub-processors. 
Cloudflare is also responsible for providing our customers with 
reasonable cooperation and assistance in light of the breach, including 
providing customers with reasonable information in Cloudflare’s 
possession concerning the circumstances of the breach and the 
personal data impacted. 


Customers are responsible for complying with regulatory or contractual 
requirements to notify their end users and/or government authorities of 
any personal data breach. 
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A global cloud network built on customer trust 


Cloudflare’s first priority is to earn and maintain customer trust. We understand that 
transparency into Cloudflare’s privacy commitments — and into our approach for building 
data locality and privacy safeguards into our network and products — helps customers 
meet their own obligations. We also understand that Cloudflare’s industry certifications 
and well-designed contracting mechanisms help us create a strong relationship of trust 
with our Australian customers. 


Cloudflare’s privacy and security teams are here to partner with you to address the 

most stringent requirements you may face in your country, region, or industry. Our 
knowledgeable Account Executives, Customer Success Managers, and Sales Engineers 
partner regularly with our privacy and security compliance teams to help our customers 
configure the Cloudflare products they use to meet their specific compliance obligations. 


If you would like a demonstration or specialized session on configuration of your 
services to meet your unique obligations, contact us today. Please email us at 
privacyquestions@cloudflare.com or security@cloudflare.com. 
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